asking the right questions about cybersecurity

ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY

Dr Ian Brown, Senior Research Fellow

Oxford Internet Institute

HOW CAN WE…

Design and execute strategic responses that carefully target security threats, avoiding where possible tactical arms races?

Get the best return on security investment? Build citizens’ trust and maintain democratic

legitimacy?

OUTLINE

Definitions and the scale of the threat Graffiti, fraud, terror, war and espionage Value at risk

Policy responses Trust and democratic legitimacy

CYBER GRAFFITI

Defacement of Web sites with inadequate security

Mainly for propaganda and bragging

Increasingly used to distribute “drive-by” malware

CYBER FRAUD

Highly efficient criminal economy has sprung up (bot herders, coders, mules, phishermen)

Phishing (Symantec observed 207,547 unique phishing messages 2H 2007) – with increased targeting

Denial of Service extortion (Symantec observed 5,060,187 bots 2H 2007)

Anti-Phishing Working Group Q2 2008 report

SCALE OF FRAUD

Internet Crime Complaint Center 2007 Annual Report p.3

Symantec Report on the Underground Economy 2008 p.49

CYBER TERROR

“Terrorists get better returns from much simpler methods such as car bombs. Cyberterror is too low key: not enough dead bodies result, and attacks are too complex to plan and execute.” (Bird 2006)

Reality is use for communications, research (CBNR info poor - Stenersen 2007), propaganda, recruitment and belonging (Labi 2006 and Shahar 2007), tactical intel (US Army 2005)

CYBERWAR?

Attacks on Estonian finance, media and govt websites by Russian nationalist groups after statue moved

“Complexity and coordination was new… series of attacks with careful timing using different techniques and specific targets” (NATO)

Arbor Networks monitored 128 distinct attacks, with 10 lasting over 10 hours and reaching 90Mbps

CYBER ESPIONAGE

Incursions into DoD, German chancellory, Whitehall, NASA, Lockheed Martin…

“Chinese attackers are using custom Trojan horse software targeted at specific government offices, and it is just walking through standard defences. Many government offices don’t even know yet that they are leaking information. 99% of cases are probably still not known.” (NATO)

“Intrusion detection systems react to obvious signatures such as lots of traffic from one IP address – so onion routing and botnets are used to disguise the origin of intrusions.” (Sommer)

OUTLINE

Definitions and the scale of the threat Graffiti, fraud, terror, war and espionage Value at risk

Policy responses Trust and democratic legitimacy

OUR REAL GOALS

Availability & integrity of Critical National Infrastructure

Protection of confidential information Manageable levels of fraud …all in cost-effective form, where

costs include inconvenience, enhancement of fear, negative economic impacts & reduction of liberties

GOVERNMENTAL RESPONSES

Protecting govt infrastructure – $294m requested by DHS for 2009; $6bn requested for NSA initiative

Critical infrastructure programmes – e.g. CPNI, InfraGard

Law enforcement response – e.g. PCeU; FBI has 800+ full-time agents, received 320,000 complaints in 2007

Updating legislation – Council of Europe Cybercrime Convention

CROSS-GOVERNMENT ACTION

Fund security R&D with INFOSEC agency participation

Use procurement, licensing and standardisation power to require significantly higher security standards in systems and services

Use diplomacy to pressure state actors behind Russian Business Network, DDoS attacks, classified network incursions etc.

REDISTRIBUTING LIABILITY

House of Lords concluded liability must be shifted to some combination of software vendors, ISPs and financial institutions

Intended to incentivise innovations such as RBS off-line consumer card terminal

BETTER SECURITY ENGINEERING Least-privilege processes, enforced by

formally verified security kernel Verification of device security before

providing network connectivity Two-factor authentication Full Disk Encryption esp. for removable

media Perimeter controls to block sensitive

data exfiltration Air-gap most sensitive systems eg

SCADA; separate public-facing websites from internal systems

OUTLINE

Definitions and the scale of the threat Graffiti, fraud, terror, war and espionage Value at risk

Policy responses Trust and democratic legitimacy

TRUST IS FRAGILE

“Trust is built over the long term, on the basis not of communication but of action. And then again, trust, once established, can be lost in an instant” -Neil Fitzgerald, Chairman, Unilever

SHORT-TERM TRUST

• Reputation of the organising institution• Opinions in the mass media about

technologies• Attitudes & opinions of friends and family• Convenience system brings (Oostveen 2007)

TRUST IN GOVERNMENT

LONGER-TERM LEGITIMACY

• Informed, democratic consent• Do citizens and their representatives have

full information on costs & benefits?• Privacy Impact Assessment?

• Compatibility with human rights (S & Marper v UK, Liberty v UK, I v Finland)

• Continued legislative and judicial oversight and technological constraint• Privacy by Design

CREDIBLE IMPACT ASSESSMENT

• Risk must be quantified to be meaningful, even for low-probability high-impact events

• How strong is evidence that “solution” will work?

• How widely do stakeholders agree that cost << benefit? Include direct cost, inconvenience, enhancement of fear, negative economic impacts, reduction of liberties

• “Any analysis that leaves out such considerations is profoundly faulty, even immoral” (Mueller 2008)

STRATEGIC IMPACT

Do systems damage societies’ key values e.g. by censoring websites or undertaking warrantless wiretaps?

“Techniques that look at people's behavior to predict terrorist intent are so far from reaching the level of accuracy that's necessary that I see them as nothing but civil liberty infringement engines.” –Jeff Jonas, Chief Scientist, IBM Entity Analytics

HOW NOT TO DO IT

• “We really don't know a whole lot about the overall costs and benefits of homeland security” –senior DHS economist Gary Becker (2006)

• “Policy discussions of homeland security issues are driven not by rigorous analysis but by fear, perceptions of past mistakes, pork-barrel politics, and insistence on an invulnerability that cannot possibly be achieved.” – Jeremy Shapiro (2007)

• “Finding out other people’s secrets is going to involve breaking everyday moral rules.” –David Omand (2009)

KEY QUESTIONS

How can we target security interventions to maximise long-term RoI?

How can law enforcement best work with partners across government and industry to reduce damage?

Are we getting the right balance between reducing vulnerabilities, increasing availability and monitoring/response?

REFERENCES Juliette Bird (2006) Terrorist Use of the Internet, The Second

International Scientific Conference on Security and Countering Terrorism Issues, Moscow State University Institute for Information Security Issues

Nadya Labi (2006) Jihad 2.0, Atlantic Monthly pp.102—107, Jul/Aug

John Mueller (2008) The quixotic quest for invulnerability, International Studies Association, New York

AM Oostveen (2007) Context Matters: A Social Informatics Perspective on the Design and Implications of Large-Scale e-Government Systems, PhD thesis, Amsterdam University

Yael Shahar (2007) The Internet as a Tool for Counter-Terrorism, Patrolling and Controlling Cyberspace, Garmisch

Anne Stenersen (2007) Chem-bio cyber-class – Assessing jihadist chemical and biological weapons, Jane’s Intelligence Review, Sep